[Samba] further testing - Re: dhcp errors - Re: dhcp example
Robert Moskowitz
rgm at htt-consult.com
Fri Sep 4 00:53:42 UTC 2015
This will be it for tonight...
Sep 3 20:35:30 homebase dhcpd: DHCPDISCOVER from 02:97:09:02:23:a2
(cubieboard2) via eth0
Sep 3 20:35:31 homebase dhcpd: DHCPOFFER on 192.168.192.21 to
02:97:09:02:23:a2 (cubieboard2) via eth0
Sep 3 20:35:31 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line 17:
/var/log/dyndns.log: Permission denied
Sep 3 20:35:31 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line 49:
which: command not found
# ls -ls /var/log/dy*
0 -rw-r--r-- 1 root dhcpd 0 Sep 3 20:27 /var/log/dyndns.log
# grep dhc /etc/passwd
dhcpd:x:177:177:DHCP server:/:/sbin/nologin
# systemctl status dhcpd
dhcpd.service - DHCPv4 Server Daemon
Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; enabled)
Active: active (running) since Thu 2015-09-03 15:58:44 EDT; 4h 46min ago
Docs: man:dhcpd(8)
man:dhcpd.conf(5)
Main PID: 22993 (dhcpd)
Status: "Dispatching packets..."
CGroup: /system.slice/dhcpd.service
└─22993 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user
dhcpd -group dhcpd ...
So why does the script figure no log file and then tries to 'touch' it?
Sep 3 20:35:31 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line 62:
which: command not found
Sep 3 20:35:31 homebase dhcpd: Internet Systems Consortium DHCP Server
4.2.5
Sep 3 20:35:31 homebase dhcpd: Copyright 2004-2013 Internet Systems
Consortium.
Sep 3 20:35:31 homebase dhcpd: All rights reserved.
Sep 3 20:35:31 homebase dhcpd: For info, please visit
https://www.isc.org/software/dhcp/
Sep 3 20:35:31 homebase dhcpd: (current) UNIX password: Internet
Systems Consortium DHCP Server 4.2.5
Sep 3 20:35:31 homebase dhcpd: Copyright 2004-2013 Internet Systems
Consortium.
Sep 3 20:35:31 homebase dhcpd: All rights reserved.
Sep 3 20:35:31 homebase dhcpd: For info, please visit
https://www.isc.org/software/dhcp/
Sep 3 20:35:31 homebase dhcpd: unable to create icmp socket: Operation
not permitted
Sep 3 20:35:31 homebase dhcpd: Can't open /etc/dhcp/dhcpd.conf:
Permission denied
Sep 3 20:35:31 homebase dhcpd: This version of ISC DHCP is based on the
release available
Sep 3 20:35:31 homebase dhcpd: on ftp.isc.org. Features have been
added and other changes
Sep 3 20:35:31 homebase dhcpd: have been made to the base software
release in order to make
Sep 3 20:35:31 homebase dhcpd: it work better with this distribution.
Sep 3 20:35:31 homebase dhcpd: Please report for this software via the
CentOS Bugs Database:
Sep 3 20:35:31 homebase dhcpd: http://bugs.centos.org/
Sep 3 20:35:31 homebase dhcpd: unable to create icmp socket: Operation
not permitted
Sep 3 20:35:31 homebase dhcpd: Can't open /etc/dhcp/dhcpd.conf:
Permission denied
Sep 3 20:35:31 homebase dhcpd:
Huh? Is it restarting dhcpd? And why now complaining about permissions
for /etc/dhcp/dhcpd.conf; it opened it earlier? It is created
root:root, not root:dhcpd.
Sep 3 20:35:33 homebase dhcpd: passwd: Authentication token
manipulation error
Sep 3 20:35:33 homebase dhcpd: No dhcp user exists, need to create it
first.. exiting.
Sep 3 20:35:33 homebase dhcpd: you can do this by typing the following
commands
Sep 3 20:35:33 homebase dhcpd: Administrator at home.htt
Sep 3 20:35:33 homebase dhcpd: user create dhcpd
--description="Unprivileged user for DNS updates via ISC DHCP server"
Sep 3 20:35:33 homebase dhcpd: user setexpiry dhcpd --noexpiry
Sep 3 20:35:33 homebase dhcpd: group addmembers DnsAdmins dhcpd
Sep 3 20:35:33 homebase dhcpd: execute: /usr/local/sbin/dhcp-dyndns.sh
exit status 256
So what is needed here for the user? And where is it being created? Is
this in kerberos? Is there a separate kerberos daemon with sernet?
Sep 3 20:35:34 homebase dhcpd: Wrote 1 leases to leases file.
Sep 3 20:35:34 homebase dhcpd: DHCPREQUEST for 192.168.192.21
(192.168.192.2) from 02:97:09:02:23:a2 (cubieboard2) via eth0
Sep 3 20:35:34 homebase dhcpd: DHCPACK on 192.168.192.21 to
02:97:09:02:23:a2 (cubieboard2) via eth0
Sep 3 20:35:34 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line 17:
/var/log/dyndns.log: Permission denied
Sep 3 20:35:34 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line 49:
which: command not found
Looks like it is looping around again... Same set of messages as the
first set.
Please help here. thanks.
On 09/03/2015 08:27 PM, Robert Moskowitz wrote:
> I am reading through the script and see some things I did not change...
>
> Will do that and try again. As well as create the log file manually.
>
> On 09/03/2015 07:47 PM, Robert Moskowitz wrote:
>> First I am having a couple challenges with your script here:
>>
>> On 09/03/2015 02:43 PM, Rowland Penny wrote:
>>>
>>> I thought that might be your next question, I wrote it, based on
>>> what I found here:
>>>
>>> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
>>>
>>>
>>> #!/bin/bash
>>>
>>> # /usr/local/sbin/dhcp-dyndns.sh
>>> # This script is for secure DDNS updates using GSS/TSIG on Samba 4
>>> # Version: 0.8.3 (includes TXTRR records)
>>> # Updated with suggestions from L. v. Belle louis at van-belle.nl
>>> # method to check for valid kerberos ticket changed
>>>
>>> LOG="/var/log/dyndns.log"
>>
>>> if [ -f /var/log/dyndns.log ]; then
>>> :
>>> else
>>> touch /var/log/dyndns.log
>>> fi
>>
>> Of course this file did not exist, and the 'touch' command failed on
>> permissions.
>>
>> I assume dhcpd is running this script as user dhcpd, group dhcpd, so
>> I don't see how it can create the file. I have to create it and set
>> the owner to root:dhcpd
>>
>>
>>>
>>> exec >> $LOG 2>&1
>>
>> Then this line fails and soforth.
>>
>>>
>>> ## CONFIGURATION ##
>>>
>>> # Samba 4 realm, change this to YOUR realm.
>>> SETREALM=EXAMPLE.COM
>>> ## define the dhcp user that will be used for the Dynamic updates to
>>> samba4
>>> ## this will create a Principal like : user at realm
>>> SETDHCPUSER=dhcpduser
>>> # DNS domain, change this to YOUR dns domain
>>> domain=example.com
>>> # TXT RRs (rfc4701)
>>> # Set to YES to use TXT RRs
>>> TXTRRS="NO"
>>> # Additional nsupdate flags (-g already applied), e.g. "-d" for debug
>>> #NSUPDFLAGS="-d"
>>> # DNS nameserver
>>> ns=127.0.0.1
>>> #
>>> ## Do not change anything below here
>>> # Kerberos principal
>>> SETPRINCIPAL=$SETDHCPUSER@$SETREALM
>>> # Kerberos keytab
>>> SETDHCPKEYTAB=/etc/$SETDHCPUSER.keytab
>>> # Default DNS resource records TTL
>>> RRTTL="3600"
>>>
>>> # krbcc ticket cache
>>> export KRB5CCNAME="/tmp/dhcp-dyndns.cc"
>>>
>>> ## Command locations, with full paths it speeds up processing.
>>> ## ( tested on Ubuntu 14.04, Debian 7.5 )
>>> CMDSORT="$(which sort)"
>>> CMDAWK="$(which awk)"
>>> CMDHEAD="$(which head)"
>>> CMDECHO="$(which echo)"
>>> CMDDATE="$(which date)"
>>> CMDKINIT="$(which kinit)"
>>> CMDKLIST="$(which klist)"
>>> CMDGREP="$(which grep)"
>>> CMDGETENT="$(which getent)"
>>> CMDSAMBATOOL="$(which samba-tool)"
>>> CMDCHOWN="$(which chown)"
>>> CMDCHMOD="$(which chmod)"
>>> CMDHOST="$(which host)"
>>> CMDNSUPDATE="$(which nsupdate)"
>>>
>>> TESTUSER=$(${CMDGETENT} passwd | ${CMDGREP} "${SETDHCPUSER}")
>>
>> Sep 3 19:27:08 homebase dhcpd: /usr/local/sbin/dhcp-dyndns.sh: line
>> 64: dhcpduser: command not found
>> Sep 3 19:27:09 homebase dhcpd: (current) UNIX password: passwd:
>> Authentication token manipulation error
>> Sep 3 19:27:09 homebase dhcpd: No dhcp user exists, need to create
>> it first.. exiting.
>> Sep 3 19:27:09 homebase dhcpd: you can do this by typing the
>> following commands
>> Sep 3 19:27:09 homebase dhcpd: Administrator at EXAMPLE.COM
>> Sep 3 19:27:09 homebase dhcpd: user create dhcpduser
>> --description="Unprivileged user for DNS updates via ISC DHCP server"
>> Sep 3 19:27:09 homebase dhcpd: user setexpiry dhcpduser --noexpiry
>> Sep 3 19:27:09 homebase dhcpd: group addmembers DnsAdmins dhcpduser
>> Sep 3 19:27:09 homebase dhcpd: execute:
>> /usr/local/sbin/dhcp-dyndns.sh exit status 256
>>
>> Is this what I need to do. That is create the dhcpduser? There is
>> no 'user' command. Is this 'adduser'?
>>
>>> if [ -z "${TESTUSER}" ]; then
>>> echo "No dhcp user exists, need to create it first.. exiting."
>>> echo "you can do this by typing the following commands"
>>> echo "${CMDKINIT} Administrator@${SETREALM}"
>>> echo "${CMDSAMBATOOL} user create ${SETDHCPUSER}
>>> --description=\"Unprivileged user for DNS updates via ISC DHCP
>>> server\""
>>> echo "${CMDSAMBATOOL} user setexpiry ${SETDHCPUSER} --noexpiry"
>>> echo "${CMDSAMBATOOL} group addmembers DnsAdmins ${SETDHCPUSER}"
>>> exit 1
>>> fi
>>>
>>> # Check for Kerberos keytab
>>> if [ -f "${SETDHCPKEYTAB}" ]; then
>>> :
>>> else
>>> echo "Required keytab ${SETDHCPKEYTAB} not found, it needs to be
>>> created."
>>> echo "Use the following commands as root"
>>> echo "${CMDSAMBATOOL} domain exportkeytab
>>> --principal=${SETPRINCIPAL} ${SETDHCPKEYTAB}"
>>> testos=$(uname -a | grep 'Debian')
>>> if [ -z "$testos" ]; then
>>> echo "${CMDCHOWN} dhcpd:dhcpd ${SETDHCPKEYTAB}"
>>> echo "${CMDCHMOD} 400 ${SETDHCPKEYTAB}"
>>> fi
>>> exit 1
>>> fi
>>>
>>> ## VARIABLES ##
>>>
>>> # Variables supplied by dhcpd.conf
>>> action=$1
>>> ip=$2
>>> DHCID=$3
>>> name=${4%%.*}
>>>
>>> usage()
>>> {
>>> echo "USAGE:"
>>> echo " `basename $0` add ip-address dhcid|mac-address hostname"
>>> echo " `basename $0` delete ip-address dhcid|mac-address"
>>> }
>>>
>>> _KERBEROS () {
>>> # get current time as a number
>>> test=$(${CMDDATE} +%d'-'%m'-'%y' '%H':'%M':'%S)
>>>
>>> # Check for valid kerberos ticket
>>> echo "$test [dyndns] : Running check for valid kerberos ticket"
>>> klist -c "$KRB5CCNAME" -s
>>> if [ "$?" != "0" ]; then
>>> echo "$test [dyndns] : Getting new ticket, old one has expired"
>>> kinit -F -k -t "${SETDHCPKEYTAB}" -c "$KRB5CCNAME"
>>> "${SETPRINCIPAL}"
>>> if [ "$?" != "0" ]; then
>>> echo "$test [dyndns] : dhcpd kinit for dynamic DNS failed"
>>> exit 1;
>>> fi
>>> else
>>> echo "$test [dyndns] : New ticket not required, old one still
>>> valid"
>>> fi
>>>
>>> }
>>>
>>> # Exit if no ip address or mac-address
>>> if [ -z "$ip" ] || [ -z "$DHCID" ]; then
>>> usage
>>> exit 1
>>> fi
>>>
>>> # Exit if no computer name supplied, unless the action is 'delete'
>>> if [ "$name" = "" ]; then
>>> if [ "$action" = "delete" ]; then
>>> name=$(${CMDHOST} -t PTR "$ip" | ${CMDAWK} '{print $NF}' |
>>> ${CMDAWK} -F '.' '{print $1}')
>>> else
>>> usage
>>> exit 1;
>>> fi
>>> fi
>>>
>>> # Set PTR address
>>> ptr=$(${CMDECHO} $ip | ${CMDAWK} -F '.' '{print
>>> $4"."$3"."$2"."$1".in-addr.arpa"}')
>>>
>>> # Create RRTXT record
>>> RRTXT=$(${CMDECHO} "$DHCID$name.$domain" | sha256sum)
>>> RRTXT="000101${RRTXT%% *}"
>>> # extract txt record, if there is one
>>> RRTXTOLD=$(${CMDHOST} -t txt "$name.$domain" | sed -n '/descriptive
>>> text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p')
>>>
>>> ## ${CMDNSUPDATE} ##
>>>
>>> case "$action" in
>>> add)
>>> if [ "$TXTRRS" = "YES" ]; then
>>> TXTRRS=""
>>> # if string is not null
>>> if [ -n "$RRTXTOLD" ]; then
>>> # if old RRTXT is not the same as $RRTXT then exit
>>> if [ "$RRTXT" != "$RRTXTOLD" ]; then
>>> echo "DHCP-DNS: adding records for $ip
>>> ($name.$domain) FAILED: has A record but DHCID is wrong"
>>> exit 1
>>> fi
>>> fi
>>> else
>>> TXTRRS=";"
>>> fi
>>>
>>> _KERBEROS
>>>
>>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
>>> server $ns
>>> realm ${SETREALM}
>>> update delete $name.$domain $RRTTL A
>>> ${TXTRRS}update delete $name.$domain $RRTTL TXT
>>> ${TXTRRS}update add $name.$domain $RRTTL TXT $RRTXT
>>> update add $name.$domain $RRTTL A $ip
>>> send
>>> UPDATE
>>> result1=$?
>>>
>>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
>>> server $ns
>>> realm ${SETREALM}
>>> zone 0.168.192.in-addr.arpa
>>> update delete $ptr $RRTTL PTR
>>> update add $ptr $RRTTL PTR $name.$domain
>>> send
>>> UPDATE
>>> result2=$?
>>> ;;
>>> delete)
>>> if [ "$TXTRRS" = "YES" ]; then
>>> TXTRRS=""
>>> if [ -n "$RRTXTOLD" ]; then
>>> if [ "$RRTXT" != "$RRTXTOLD" ]; then
>>> echo "DHCP-DNS: removing records for $ip
>>> ($name.$domain) FAILED: has A record but DHCID is wrong"
>>> exit 1
>>> fi
>>> else
>>> TXTRRS=";"
>>> fi
>>> else
>>> TXTRRS=";"
>>> fi
>>>
>>> _KERBEROS
>>>
>>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
>>> server $ns
>>> realm ${SETREALM}
>>> update delete $name.$domain $RRTTL A
>>> ${TXTRRS}update delete $name.$domain $RRTTL TXT
>>> send
>>> UPDATE
>>> result1=$?
>>> ${CMDNSUPDATE} -g $NSUPDFLAGS << UPDATE
>>> server $ns
>>> realm ${SETREALM}
>>> update delete $ptr $RRTTL PTR
>>> send
>>> UPDATE
>>> result2=$?
>>> ;;
>>> *)
>>> echo "Invalid action specified"
>>> exit 103
>>> ;;
>>> esac
>>>
>>> result="$result1$result2"
>>>
>>> if [ "$result" != "00" ]; then
>>> echo "DHCP-DNS Update failed: $result"
>>> logger "DHCP-DNS Update failed: $result"
>>> else
>>> echo "DHCP-DNS Update succeeded"
>>> logger "DHCP-DNS Update succeeded"
>>> fi
>>>
>>> exit $result
>>
>> Sep 3 19:27:09 homebase dhcpd: DHCPREQUEST for 192.168.192.21
>> (192.168.192.2) from 02:97:09:02:23:a2 (cubieboard2) via eth0
>> Sep 3 19:27:09 homebase dhcpd: DHCPACK on 192.168.192.21 to
>> 02:97:09:02:23:a2 (cubieboard2) via eth0
>> Sep 3 19:27:12 homebase named[22720]: client 192.168.192.21#36919
>> (0.centos.pool.ntp.org): query (cache) '0.centos.pool.ntp.org/A/IN'
>> denied
>>
>> Oops, Looks like I have acl problems in named. That I know how to
>> fix...
>>
>>
>>
>
>
More information about the samba
mailing list